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[57] ABSTRACT 

A method is provided for securing stored files in a system 
having a plurality of system users with each system user 
having an associated asymmetric crypto- key with a public 
key portion and a corresponding private key portion. Each 
public key portion is accessible to the plurality of system 
users. Each private key portion has a first private key portion 
known only to the associated user and a corresponding 
second private key portion known only to a security server. 
Data to be stored is identified. A symmetric crypto-key is 
encrypted with only the second private key portion of a first 
user crypto-key to form an encrypted key message, thereby 
restricting access to the symmetric crypto-key to only the 
first user. The symmetric crypto-key is obtained by the first 
user by applying the first private key portion of the first user 
crypto-key to decrypt the encrypted key message. The first 
user encrypts the data with the symmetric crypto-key to 
form an encrypted file, and stores the encrypted file and the 
encrypted key message. 

24 Claims, 8 Drawing Sheets 
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SECURING E-MAIL COMMUNICATIONS 
AND ENCRYPTED FILE STORAGE USING 
YAKS HA SPLIT PRIVATE KEY 
ASYMMETRIC CRYPTOGRAPHY 

RELATED APPLICATIONS 

This application is a continuation-in-part of application 
Sex No. 08/277 376 filed Jul. 18, 1994 now U.S. Pat No. 
5J57.678 and a continuation-in-part of 08/338,128, filed 
Nov. 9. 1994 now U.S. Pat No, 5 J35.276. 

FIELD OF THE INVENTION 

The present invention relates generally to securing com- 
munications and stared files using cryptography. More 
particularly, the present invention pr ovide s secure electronic 
mail communications, such as INTERNET e-mail, and 
electronic data storage using asymmetric crypto-keys. 

BACKGROUND AFT 

Cryptosystems have been developed for maintaining the 
privacy of information transmitted across a communications 
channel Often, a symmetric cryptosystem is used for this 
purpose. Symmetric cryptosystems, which utilize electronic 
keys, can be likened to a physical security system where a 
box has a single locking mechanism with a single key hole. 
One key holder uses his/her key to open the box, place a 
message in the box and relock the box. Only a second holder 
of the identical copy of the key can unlock the box and 
retrieve the message. The term symmetric reflects the fact 
that both users must have identical keys. 

In more technical terms, a symmetric cryptosystem com- 
prises an encryption function E, a decryption function D, 
and a shared secret-key, K. The key is a unique string of data 
bits to which the functions are applied. Two examples of 
encipherment/decipherment functions are the National 
Bureau of Standards Data Encryption Standard (DES) and 
the more recent Fast Endpherment Algorithm (FEAL) . To 
transmit a message, M, in privacy, the sender computes C=E 
(MX), where C is referred to as the ciphertext Upon receipt 
of C, the recipient computes M=D <CK), to recover the 
message M. An eavesdropper who copies C. but does not 
know K, will find it practically impossible to recover M. 
Typically, all details of the enciphering and deciphering 
functions, E and D, are well known, and the security of the 
system depends solely on maintaining the secrecy of key, K. 
Conventional symmetric cryptosystems are fairly efficient 
and can be used for encryption at fairly high data rates, 
especially if appropriate hardware implementations are 
used. 

Asymmetric cryptosystems, often referred to as public 
key cryptosystems, provide another means of encrypting 
information. Such systems differ from symmetric systems ia 
that, in terms of physical analogue, the box has one lock with 
two non-identical keys associated with it For example, in an 
RSA system, either key can be used to unlock the box to 
retrieve a message which has been locked in the box by the 
other key. However, the system could be limited to using the 
keys in a particular sequence, such that the box can only be 
locked with the one key and unlocked with the other key. 

In public key electronic cryptosystems. each entity, has a 
private key, d, which is known only to the entity, and a 
public key. En. which is publicly known. Once a message is 
encrypted with a user's public-key, it can only be decrypted 
using that user's private-key. and conversely, if a message is 
encrypted with a user's private-key. it can only be decrypted 
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using that user's public-key. Il will be understood by those 
familiar with the art thai although the terms "encrypt" and 
"decrypt'' and derivations thereof are used herein in describ- 
ing the use of public and private keys in an asymmetric 

3 public key cryptosystem, the term "transform" is commonly 
used in the ait interchangeably with the term "encrypt" and 
the term "invert" is commonly used in the art interchange- 
ably with the term "decrypt". Accordingly, as used herein in 
describing the use of public and private keys, the term 
'transform" could be substituted for the terra "encrypt" and 

10 the term "invert" could be substituted for the term "decrypt". 
If sender x wishes to send a message to receiver y. then 
x. "looks -up" y*s public key En, and computes M^Ce,) 
and sends it to y. User y can recover M using its private-key 
d r by computing OD(M,dy). An adversary who makes a 

15 copy of C but does not have d^,, cannot recover M. However, 
public-key cryptosystems are inefficient for large messages. 

Public-key cryptosystems are quite useful for digital 
signatures. The signer, x, computes S=E(M4^ and sends 
[M,S1 to y. User y "looks-up" x's public-key e^ and then 

20 checks to see if M=D(S^> If it does, then y can be 
confident that x signed the message, since computing S. such 
that M=D(SjeJ. requires knowledge of d*. x*s private key. 
which only x knows. 
Public-key cryptography also provides a convenient way 

23 of performing session key exchange, after which the key that 
was exchanged can be used for encrypting messages during 
the course of a particular communications session and then 
destroyed, though this can vary depending on the applica- 

30 ti ° Q - 

One public key cryptographic system is the Rivcst 
Shamir. Adleman (RSA) system, as described in Rivcst 
Shamir and Adleman. "A Method of Obtaining Digital 
Signatures and Public Key Cryptosystems". CACM. Vol 21. 

„ pp 120-126, February 1978. RSA is a public-key based 
cryptosystem that is believed to be very difficult to break, In 
the RSA system the pair (e^. is user Ps public-key and d, 
is the user's private key. Here N/=pq, where p and q are large 
primes. Here also c/d^lmodtXN,). where <KNi)=(p-l) (q-1) 

^ which is the Eulcr Toitient function which returns the 
number of positive numbers less than N ( , that are relatively 
prime to N ( . ACannichael function is sometimes used in lieu 
of a Euler Toitient function. 
To encrypt a message being sent to user j, user i will 

45 compute OM <4 > ) raodn > and send C to user j. User j can then 
perform MM^modn, to recover M. User i could also send 
the message using his signature. The RSA based signature of 
user 1 on the message, M, is M*modN,. The recipient of the 
message, user j, can perform (M ( * > modN^TnodN^ to 

x verify the signature of i on M. 

In a typical mode of operation, i sends j, N < * ) modN i along 
with M and a certificate C=Q£^d ( dc * ) rnodN Gt . where C is 
generated by a Certificate Authority (CA) which serves as a 
trusted off-line intermediary. User j can recover f s public 

55 key from C, by performing (?* CA) roodN c/ ,. as and N Cy< 
arc universally known. It should also be noted that in an RSA 
system the encryption and signatures can be combined. 

Modifications to RSA systems have been proposed to 
enable multi-signatures to be implemented. Such an 

60 approach is described in "Digital Multisignarure". C. Boyd, 
Proceedings of the Inst of Math, and its AppL on Cryptog- 
raphy and Coding, Dec. 15-17. 1986. The proposed 
approach extends the RSA system by dividing or splitting 
the user private key d into two or more portions, say d a and 

6j d^, where & a *Af=d. 

An improved system using split key public encryption has 
been disclosed, see U.S. patent application Ser. No. 08/277. 
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808 filed on Jul. 20. 1994 for V. Yacobi and R. Ganesan Network Authentication Service". INTERNET RFC 1510. 
entitled **A System and Method for Identity Verification. September 1993, which is based on the classic Needham- 
Forming Joint Signatures and Session Key Agreement in an Schroeder authentication protocols, Needham. R. M and 
RSA Public Cryptosystem". The described system and Schroeder M. D„ "Using Encryption far Authentication in 
method, allow two system users to verify eat* other's 5 Large Networks of Computers". Communications of the 
identity, form a joint signature and establish and distribute a ACM. v. 21. n. 12, Dec. 1978, with extensions by Denning- 
scssion key in an RSA environment. Sacco. D. E. Denning and G.M. Sacco. 'Tiraestamps in Key 

The system developed by Yacobi and Ganesao provides Distribution Protocols." Communications of the ACM. v. 24. 
significant benefits where no intermediary between the users n. 8, Aug. 81. pp. 553-536, The system uses a trusted third 
needs to be empowered with the ability to ease drop on t0 party model to perform authentication and key exchange 
encrypted communications. However, in practical systems. between entities in a networked environment, for example, 
it is often desirable or required, for reasons other than over a local or wide area network. Kerberos uses symmetric 
security, that an intermediary with such power be placed key cryptosystems as a primitive, and initial implcmenta- 
between the users. Such an intermediary can provide a lions use the Data Encryption Standard (DES) as an inter op- 
central point of audit and service cancellation, as well as 15 erabiliry standard, though any other symmetric encryption 
other benefits. For example, public subscription systems. standard can be used. After close to a decade of effort the 
such as INTERNET electronic mail systems, will normally Kerberos authentication system is now a fairly mature 
have a central intermediary empowered to monitor the system whose security properties have held up fairly well to 
access of a subscriber and terminate access should a sub- intense scrutiny. Further, vendors are now delivering Ker- 
scriber fail to pay his monthly access fee. » bcros « a supported product Kerberos has also been 

"A Secure Joint Signature and Key Exchange System". adopted as me basis for the security service by the Open 
Bellcore Technical Doament see also U.S. patent appiica- Software Foundation's (OSF) Distributed Computing Envi- 
don Sex. No. 08/277,808 filed on Jul. 20. 1994. now U.S. Pat ronment (DCE). Consequently, Kerberos can be expected to 
No, 5 588,061 which is also assigned to the assignee of the be among the most widespread security systems used in 
present application, modified Boyd's system, and made four » distributed environments over the next several years, 
significant additional points regarding split private key For the sake of clarity, a "simplified" version of the 
asymmetric cryptosystems. Although specifically applied to Kerberos protocol described by Neuman and Ts'o in 
the two party case, the findings can be utilized more gen- Neuman, B. C. and Ts'o. T„ "Kerberos: An Authentication 
erally. The first point is that, assuming all operations are Service for Computer Networks-. IEEE Communications, 
modulo N breaking the joint signature system is equivalent 30 September 1994, wfll be discussed below. The complete 
to breaking RSA. This is true whether the attacker is an protocol is described in Kohl J. T. and Neuman. B. C . 'The 
active or passive eavesdropper or one of the system users. It Kerberos Network Authentication Service . INTERNET 
is assumed that key generation is conducted by a trusted RFC 1510. September 1993. Further, the following discus- 
third party, for example a tamper proof chip, and the factors sion is based 00 Neuman, B. C, and Ts'o. T. , 'TCerberos: An 
of the RSA modulus N and <*N) are discarded after key 35 Authentication Service for Computer Networks , IEEE 
generation and not known to any of the system users. The Communications. September 1994. and for the sake of 
second point is the description of the following key consistency uses almost the same notation. The fundamental 
exchange protocol: User 1 sends c.^rn * to User 2. User 2 message exchanges are shown in FIG. 1. In message 1 the 
recovers m,^.**. Similarly User 2 transmits to User I. user uses a personal computer or workstation 10 to request 
Each user then computes m=f (m t . mj). where f is a function 40 a ticket granting ticket (TGT) from an authentication/ 
like XOR. Page and Rant prove mathematically mat break- security server (AS) 20. The server 20 creates such a ticket 
ing (his scheme is equivalent to breaking RSA. Again this is TGT. looks up the user's password from the Kerberos 
true whether the attacker is an active or passive eavesdrop- database 30, encrypts the TGT with the password and sends 
per or one of the system users. The third point Is the it to the user via the computer 10 in message 2. The user 
introduction of the concept mat one of the two users is a 45 decrypts the TGT with her password using computer 10. and 
central server which maintains one portion of every user's stores the TGT on computer 10. for cxampleon a hard disk 
RSA private key. In order to sign a message the user must or in the random access memory (RAM) . Then, when the 
interact with this server which, it is shown, cannot taper- user desires to access a service, she sends message 3. which 
sonate the user Having to interact with such a central server contains the TOT to the ticket granting server 40. The server 
has several important practical advantages, including instant 50 40 verifies the TOT and sends back, in message 4. a service 
revocation without difficult to maintain Certificate Revoca- ticket to access the service server 50. and a session key, 
don Lists (CRL), Kent, S., "Privacy Enhancement for Inter- encrypted with the user's password retrieved from database 
net Electronic Mail: Part H: Certificate Based Key 30. In message 5 the user presents via computer 10 die 
Management" INTERNET RFC 1422. Feb. 1993, a central service ticket to the server 50, which verifies it and also 
point for audit, and a way of providing for digital signatures 55 recovers the session key from it If mutual authentication is 
uTan era where smart cards arc not yet ubiquitous. Finally, required, the server 50, in message 6. sends back a message 
the paper also proves mathematically that even if one of the encrypted with the session key. All communications 
two portions, d, and cU of the private key, d, is short say 64 between servers 20, 40 and 50 and computer 10 are via 
bits mi eavesdropper will have equal difficulty breaking the network 60, eg. the INTERNET. All communications 
split key system as would be experienced in breaking RSA. 50 between servers 20 and 40 and database 30 are preferably by 
As a consequence, a digital signature Infrastructure can be direct com m u ni ra t ions link. 

built where users who remember short eg., 8-9 characters, An improved Kerberos type system is described in U.S. 
passwords, can interact with the central server to create RSA patent application Ser. No. 08/338. 128 filed on Nov. 9, 1994, 
signatures which are indistinguishable from those created now U.S. Pat No. 5.535,276 entitled "YAKAHA. an 
using a full size private key stored on a smart card. w Improved System and Method for Securing Communica- 

One symmetric cryptosystem is the Kerberos autheotica- tions Using Split private Key Asymmetric Cryptography^ 
tion system. Kohl. J. T. and B. C. Neuman, The Kerberos which is also assigned to the assignee of the present appli- 
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cation and incorporated herein by reference. The described herein and with respect to which the invention could be of 
system provides for secured communications in a way in significant utility. 

which the compromise of a central database, such as the SUMMARY OF THE INVENTION 

secured database in a conventional Kerberos system, will 

not be catastrophic to the overall system security. The s According to the present invention, in a system having a 
system is also less vulnerable to dictionary attacks than plurality of system users, each user has an associated asym- 
oonveotionai systems and provides a way for one user to metric crypto-key with a public key portion and a cone- 
authenticate itself to another user. The described system spooding private key pardon. Each public key portion is 
facilitates digital signatures being placed on a message and accessible to the plurality of system users. The private key 
thereby provides for non-repudiation. Additionally the sys- 10 portion of at least some of the users has a first private key 
tern can be implemented to enhance security in conventional portion known only to the associated user and a correspond- 
Kerberos systems with minimum changes to the standard ing second private key portion known only to a security 
Kerberos protocol and is compatible with the use of "smart server. The private key portion of other users is known only 
cards". Finally, the described system allows the reuse of an to the associated user. 

authentication infrastructure for digital signatures. IS y Q secure stored files, the data to be stored on a file server 

Another system having central server is describe in U.S. is first identified by a user and forwarded to a file server or 
patent application Ser. No. 08/277376 filed on Jul 18. 1994; other storage device. A symmetric crypto-key is encrypted 
now U.S. Pat No. 5,357,678 entitled "A System and Method by me security server, or other central security authority, 
for Centralized Session Key Distribution. Privacy Enhanced with the second private key portion of the file server's 
Messaging and Information Distribution Using A Split Pri- 20 crypto-key. to form an encrypted key message. This ensures 
vate Key Public CryptosystenT. which is also assigned to that only the appropriate file server will have access to the 
the assignee of the present application and incorporated symmetric crypto-key. The encrypted key message is for- 
herein by reference. The described system uses split private warded to the user for forwarding along with the data to the 
key public encryption to provide automatic identity verifi- appropriate file server. 

cation by a central intermediary prior to any information 25 The file server can obtain the symmetric crypto-key by 
being exchanged, AdflitionaUy.u^descrflxd system ensures applying the first private key portion of the file server's 
that the users are authorized before a communications crypto-key to decrypt the encrypted key message. The file 
session is established The system facilitates the distribution server can now encrypt the identified data with the symmet- 
of session keys, and the proper authorization and implemen- nc crypto-key to form an encrypted file, and store the 
tation of wire taps. The described system can additionally 30 encrypted file and the encrypted key message on an asso- 
provide privacy enhanced messaging and is particularly dated memory device. 

suitable for the secure distribution of video, data and other jf ^ user deshxs to retrieve me stored data, a retrieve file 
messages . request i s first encrypted by the user with the first private key 

Although the above systems provide a great deal of portion of the user's crypto-key to form a first encrypted 
security and flexibility, problems still exist in exchanging retrieve file request This authenticates the user's request, 
symmetric session crypto-kcys between users of virtual area The security server obtains the retrieve file request by 
networks, such as the INTERNET, who utilize different applying the second private key portion of the user's crypto- 
cryptosystems. For example, although the users who will key to the first encrypted retrieve file request The first 
participate in a communications session may all have an encrypted retrieve file request may be encrypted by the 
assigned private/public key pair, Le are all part of an 40 security server with the second private key portion of the 
asymmetric cryptosystem, only some of the user's may have user's crypto-key to form a second encrypted retrieve file 
a split private key. Le, are part of an asymmetric split key request This authenticates the user's request. The second 
cryptosystem. Further, because virtual area networks have encrypted retrieve file request Is forwarded to the file server, 
open access, data stored on file servers and other storage ^ The retrieve file request is obtained by the file server by 
devices directly or indirectly connected to such networks is applying the public key portion of the user's crypto-key to 
extremely vulnerable to security breaches and attack. decrypt the second encrypted retrieve file request Respon- 

, sive to the request, the file server retrieves the encrypted file 

OBJECTIVES OF THE INVENTION JUJ(J mfi ^^yp^ j^y message from storage. The file server 

Accordingly, it is an object of the present invention to x obtains the symmetric crypto-key by applying the first 
provide for exchanges of symmetric session crypto-keys private key portion of the file server's crypto-key to decrypt 
between users of virtual area networks, such as the the retrieved encrypted key message. The file server then 
INTERNET who utilize different crypto-systems. obtains the requested data by applying the symmetric 

It is a further object of the present invention to provide crypto-key to decrypt the retrieved encrypted file. The file 
enLceVSZty for data stored on file servers and other M server directs the date to the requestor* user, 
storage devices directly or indirectly connected to such If desired, the security server may also encrypt the 
networks retrieve file request with the second private key portion of 

The advantages and novel features of the present inven- the file server's crypto-key to form the second wcrypted 
tionwu^XS«ct to those skilled in the art from this retrieve file request In such a case, the file server ob^the 
dSure. indudSTtbe following detail description, as 60 retrieve file request by additionally applying die ^^Pnvate 
wdl a^by practice of the invention While the invention is key portion of the file server's crypto-key to decrypt the 
described below with reference to preferred err^odiments. it second encrypted retrieve file request 
should be understood that the invention is not limited Each key portion has a bit Length and preferably the bit 
thereto Those of ordinary skfll in the art having access to the length of each first private key portion is smaller than the bit 
teachings herein will recognize additional applications, 65 length of the associated second private key portion, 
modifications and embodiments in other fields, which are Beneficially, the bit length of each first private key portion 
within the scope of the invention as disclosed and claimed is between 56 and 72 bits. Further, each private key portion 
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is comprised of a private exponent and modulus N which is FIG. 7 is a exemplary block diagram of the computer 

a product of a plurality of numbers within a set of large depicted in FIG. 6. 

prime cumbers. Each public key portion is comprised of a FIG. 8 depicts a computer suitable for use as the security 

public exponent and the modulus N. Advantageously, the sava depicted ^ FIG. 2. 

modulus N has a bit length and the bit length lof c*A private 5 FIG. 9 is a exemplary block diagram of the computer 

key portion is no larger than fifteen percent of the bit length demcted in FIG IB 

of the modulus N but not less than 56 bits. . ' ' „ .„ , „ - u 

In accordance with other aspects of the invention, session RG. 10 depicts a computer suitable for use as the file 

key distribution is facilitated between a first user having a server depicted in FIG. 2- 

first private key portion known only to the first user and a , 0 FIG. 11 is a exemplary block diagram of the computer 

corresponding second private key portion known only to the depicted in FIG. 10. 

security server and a second user having a private key CARRYING OUT THE 

portion known only to the second user, lc. the second user's ^VENTON 
private key is not split To accomplish session key 

distribution, the first user encrypts a session key request with J5 It should also be understood that the crypto- keys are 

the first private key portion of the user's crypto-key to form created, as in any public-key crypt osyst em, in accordance 

a first encrypted message. The security server decrypts the with the established policy. The creation and issuance of 

first encrypted message by applying the first user's second asymmetric crypto-key could, for example, be performed by 

private key portion to thereby obtain the session key request an organization's Security Department, perhaps the same 

The security server then encrypts a symmetric crypto-key M organization that issues Photo ID s. using a terminal con- 

with the second private key portion of the first user crypto- nected to a secure computer (e.g. a computer or processor 

key to form a first encrypted key message. The security with a tamper proof chip)- A user could access this terminal, 

server also encrypts the symmetric crypto-key with the enter her or bis name. etc. This information is certified by a 

public key portion of the second user's crypto-key to form security officer, whose password or private key the computer 

a second encrypted key message. u knows. The computer then creates an RSA or other public- 

The first user decrypts the first encrypted key message by private key pair, prompts the user for a password, which 

applying the first user* s first private key portion to obtain the becomes the user's portion of the RSA private key. The 

symmetric crypto-key. The second user decrypts the second computer computes the portion of the user's private key 

encrypted key message by applying the private key portion which is stored in a secured database, referred to as the 

of the second user's crypto-key to obtain the symmetric „ Yaksha database. If the computer is also the security server 

crypto-key Accordingly, both users now have access to the acting as the certifying authority, it preferably computes the 

symmetric crypto-key which will serve as the session key user's certificate. Any other user can obtain the user s public 

for encryptingand decrypting communications between the key by applying the certifying authorities public key to the 

users!, user's certificate. This is a simplification of the complex 

Each user station, including the file servers), and the „ structure of an actual certificate but is sufficient for purposes 

s«S£y server will typically be represented b?a computer of this discussion, Kent S., "Privacy ^*rnent for 

" S driven by X^gTs^ctions stored on an ^^^^^42^^^ " 

associated computer readable storage medium to operate in Management , INTERNET RFC 1422, Feb. IWj. 

the described manner. The computer could be a personal Once smart cards axe ubiquitous, the user-password may 
computer work station, mini-computer, main frame com- ^ become irrelevant and the security server can download the 

puter or any other computing device with sufficient power to user' s (long) private key directly to a smart card. No method 

perform in accordance with the invention. The computer of key generation is critical to the functioning of the present 

readable storage could be a hard or floppy disk, CD, ROM. invention, hence the above is only meant to be one possible 

RAM. DRAM, SRAM, EPROM or other memory device, scenario. Since the present invention is not vulnerable to the 
Including electrical magnetic and optical memory. Storage 45 some of the attacks which conventional Kerberos systems 

media associated with each user station or file server may be are vulnerable to. the user's private key utilized in accor- 

adapted to store (he first private key portion of the user dance with the present invention will have a longer useful 

crypto-key. If the user does not have a split private key, the life than in Kerberos. 

storage media will typically store the private key portion of it will be understood mat a user may be a person or entity, 
the user's crypto-key. Storage media associated with the x a server or processor, or a system device such as a switch in 

security server will typically store the second private key a ccmuminications network. Preferably, for every user, there 

and/or the public key portion of each user's crypto-key. exists a first private asymmetric crypto-key portion known 

Home nn c n> nm am hf thf nRAWINOS only to the user. ix. each user's private key is split and the 

BRIEF DESCRIPTION OF THE DRAWINGS ^ maintains only a portion of the private key. However, 

FIG. 1 is a diagram of a conventional Kerberos authen- M ^ ^ f^^it future this is unlikely to be the case. For 

tication system. those user's having a split private key. a second private 

FIG. 2 is a diagram of a Yaksha system according to the crypto-key portion, lc the remainder of the user's private 

present invention. key. is stored on a secured database, te. the Yaksha database. 

FIG. 3 is a flow diagram illustrating the steps for session Certificates exist on a certifying authority's server. Lc, the 
key exchange in accordance with the present invention. ^ security server which is sometimes also referred to as the 

FIG. 4 is a flow diagram illustrating the steps for encrypt- authentication server, and possibly on other servers and user 

ing stored data in accordance with the present invention. processors, and every user knows the certifying authority's 

FIG. 5 is a flow diagram illustrating the steps for retriev- public key. All other intermediate key generation informa- 

ing encrypted stored data in accordance with the present tion has been destroyed, preferably within the safe confines 
invention. « of the tamper proof chip used to generate the crypto- keys. 

FIG 6 depicts a computer suitable for use as a client Both the private and public encryption keys are typically 

station depicted in FIG. 2. generated using a private exponent and a modulus N which 
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is the product of a large number of prime numbers. It is the first user's public key to farm a first encrypted session 

preferable that the length of the portion of the divided key. In step 250. the security server 120 retrieves the second 

private encryption key which is maintained by the user be user's public key from the Yaksha database 130 and encrypts 

substantially smaller than the modulus N value. It is further the session key with the second user's public key to form a 

preferred that the user portion of the divided private encryp- 5 second encrypted session key. The first encrypted session 

tion key be no larger than 15% of die length of the modulus ^ tfj C second encrypted session key arc transmitted as 

N but not less than 56 bits. If the modulus N is 512 bits in message 2' to the client station HO in step 260. The client 

length and, the user portion of the private encryption key sta tion 110 decrypts the first encrypted session key with the 

must be memorized by the user or stored in a personal ^ of the first user's private key in step 270. 

communications device, the user's portion of the divided lQ teaxiliady. the first user now has access to the session key. 

private encryption key is preferably between 56 and 72 bits. ' . . . . 

^The pre^nfinvention Zl now be described with refer- * *?™< * ** 

ence to HGS. 2S. FIG. 2 is an exemplary embodiment of "*">n ™ *e«*™? *7- ™ e encrypted message and 

a system and FIGS. 5-5 illustrate the s^ performed by the the seand encrypted session key are cornnuimcatcd via .die 

various system components to providr encrypted file storage network 60. as message 3 . to cuentstalioD 140 m step 285^ 

and session key exchange in accordance with the present 15 The client station 140, id step 290. decrypts the second 

invention encrypted session key with the second user's private key. 

Referring first to FIG. 2. the user on client station 110. hereby providing the second user with access to the session 

who will be referred to below as the first user, has a split key. In step 295. the client station 140 applies the session 

private key with the second portion of the private key key to decrypt the encrypted message from the first user. The 

retained in the Yaksha databasTl30. The user on client 20 client station 140 generates and encrypts a reply message 

stauonl40.wbx)wmbercferredtobelowasmesecoiiduser, with the session key in step 297. The encrypted reply 

docs not have a split private key and therefore retains his/her message is communicated to the client station 110 via 

full private key network 60 as message 4'. The encrypted reply message can 

v , J ' , . * . k _ be decrvDted bv the client station 110 applying the session 

o^ user and client station 140 operated by aiwmex^The ^ons 110 and 140 throughout thewrru^^on session 

sSns 110 and 140 are c^nne^Tnetwork 60 which is to encrypt and decrypt messages exchanged between the first 

identical to the network shown in FIG. LThe network could, md 8600114 users ' 

for example, be the INTERNET. The stations 110 and 140 Referring now to FIG. 4, encrypted data storage according 

can communicate with a security server 120. and a file server to the present invention will be described. In step 300 the 

150 via the network first user directs the client station 110 to encrypt a request for 

A YAKSHA database 130 is directly linked to the security a crypto-key. to be used in encrypting data to bestored on 

server 120. For clarity, the ticket granting server of the type file server 150, by applying the first user s first private key 

shown in FIG. 1 is not depicted but could, if desired, be Portion to the request In step 310 the encrypted request is 

easily included within the system and utilized in the manna 35 transmitted via the network 60 as message 5 1 to the security 

previously described in application Ser. No. O803M28. A server 120. In response to the receipt of the encrypted 

file server 160 is also a user of the system and is connected «quest security server 120. in step 320, retrieves the second 

to the system via the network 60. portion of the flm private key and the first users 

Each user, including each server, has an asymmetric „ P^Uc^y from die Yaksha database 130 and appUcstfae 

cxypTkey^sigaed to it The key is made up of a public " retrieved *W to thc cncr >P tcd communication to decrypt 

private key pair, the public portion of which is known or rc ^ Jcst - 

available to aLUsers as discussed above. The private portion Next, in step 330, the security server 120 generates a 

of the key of user erf client station 110 is divided into a first symmetric crypto-key. In step 340 the security server 120 

portion which is known only to that user and a second Ai encrypts the crypto-key with the second portion of the file 

portion which is stored on thc YAKSHA database 130 and server's private key and the file server s public key to form 

accessible only to thc security server 120. an encrypted symmetric crypto-key. In step 350, the 

Referring now to FIG. 3, session key distribution in encrypted , crypto-key is transmitted as message 6 to the 

accordance with the present invention will now be stanon uo * 

described- In step 200 the first user directs the client station » The client station HO transmits the encrypted crypto-key. 

110 to encrypt a request to establish a conununication along with the data to be stored, to the file server 150 as 

session with a second user at client station 140 by applying message 7, in step 360. The data could of course be 

the first user's first private key portion to the message. In encrypted with, for example, a session key before transmis- 

step 210, the encrypted message is transmitted via the sion to file server 150. The identification of the first user is 

network 60 as message 1' to the security server 120. In 35 provided typically in the form of a Certification of the type 

response to the receipt of the request, in step 220 security discussed above. 

server 120 retrieves the second portion of the first user's The file server 150 decrypts the encrypted crypto-key 

private key and the first user's public key from the Yaksha with the first portion of the file server's private key in step 

database 130 and applies the retrieved keys to the encrypted 370. Thc file server 150. in step 380, encrypts the data to be 

message to decrypt the request « stared with the crypto-key. In step 390. the file server stores 

Responsive to the request in step 230 the security server thc encrypted data and the encrypted crypto-key in memory, 

generates a symmetric session key. If desired, the session Accordingly, the data has now been stored by the file server 

key could be pre -generated and stored on security server 120 150 in an encrypted form. 

or the Yaksha database 130; however it is generally prefer- Turning now to FIG. 5. the recovery of the encrypted data 

able to generate session keys when required. as from storage will be described In step 500. the first user 

In step 240. the security server 120 encrypts the session directs the client station 110 to encrypt a request for the data 

key with the second portion of the first user's private key and by applying the user's first private key portion to the request 
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thereby fanning a first encrypted message. In step 510 the 
first encrypted message is transmitted via the network 60 as 
message 8* to the security server 120. In response to the 
receipt of the encrypted message, security server 120. in step 
520. retrieves the second portion of the first user's private 
key and the first user's public key from the Yaksha database 
130 and applies the retrieved keys to the encrypted com- 
munication to decrypt the request 

Next, in step 530. the security server 120 encrypts the 
request with the second portion of the first user's private key 
and the first user's public key. to form a second encrypted 
message. In step 540. the second encrypted message is 
transmitted as message 91 to the client station 110 via 
network 60. 

The client station 110. in step 550. further encrypts the 
second encrypted message with the first portion of the first 
user's private key. to form a third encrypted message. The 
diem station 110 then transmits the third encrypted message 
to the file server 150 as message 10* in step 560. 

The file server 150. in step 570 retrieves the request by 
applying the first user's public key to the third encrypted 
message. It will be noted that the file server is assured of the 
validity of the request because in order to decrypt the third 
encrypted message both the first user and the security server 
120 must have signed a portion of the first user's private key 
to the request. 

The file server 150 retrieves the encrypted symmetric 
crypto-key and encrypted data from storage in step 580. The 
file server 150 first decrypts the encrypted crypto-key by 
applying its first private key portion thereto, and thereby 
obtains the crypto-key in step 585. In step 590. the file server 
150 decrypts the encrypted data with the crypto-key. The 
data can now be transmitted, in step 595 by the file server 
150 via the network 60 to the client server 110 as message 
IT. 

FIGS. 6-11 depict computers suitable for use as the client 
stations 110 or 140. the security server 120 and the file server 
150 shown in FIG. 2. The computers are preferably com- 
mercially available personal computers or high-powered 
work stations. Each computer's processor could, for 
example, be a Pentium™ processor. Any commercially 
available keyboard and/or mouse and monitor can be uti- 
lized. A high-speed network interface, including a high- 
speed modem, is preferred although not mandatory. The 
depicted configuration of the computers is exemplary. One 
or more of the computers could. If desired, also or alterna- 
tively include other components (not shown), such as an 
optical storage medium. Any number configurations could 
be suitable for implementing the invention so long as 
sufficient storage capacity and processing capability are 
provided. All of rite computers are depicted as having similar 
hardware configurations, although this is not necessarily the 
case Far example, as will be well understood by the skilled 
artisan, it may be desirable for components of the respective 
computers to have attributes such memory storage capacity, 
data transmission rates and processing speeds which differ. 
In this regard, typically the security and file servers 120 and 
150 would include a much larger hard drive and a faster 
processor than the client stations 110 and 150. 

Each of the computers differ in their respective program- 
ming instructions so that each of the computers is uniquely 
driven to operated in accordance with the present invention. 
That is. the functionality of each of the computers described 
with reference to FIGS. 6-11 varies from that of the other 
computers due to the progranuning instructions which drive 
its operation. It will be understood that although FIGS. 6 and 
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7 depict a computer which could be utilized as either of 
client stations 110 or 140. each of these processors will be 
driven to operate as described below by a different set of 
programming instructions even though the hardware com- 

3 ponents may be identical It will also be recognized by those 
skilled in the art that only routine programming is required 
to implement the required programming instructions. 

To avoid unnecessary duplication the computers depicted 
In FIGS. 6-11 will be generally described only with refer- 

1Q ence to FIGS. 6 and 7. It should be understood that the 
corresponding components of the computers depicted in 
FIGS. 8-11 will be similar. Further, since the computer 
components and configurations are conventional, routine 
operations performed by the depicted components will gen- 
erally not be described, such operations being well under- 

15 stood in the art 

Preferably, each of the computers initially stores its 
unique programm in g instructions on Its ROM or hard disk. 
The private key portion of the user's long term crypto-key 
which the user retains may, if desired, be stored in each 
computer on the hard disk. However, this should only be 
necessary for those user's who do not have an associated 
split private key or have their full private key on a smart 
card. Session keys are preferably stored on the RAM. 
Additionally, the programming instructions other informa- 
tion stored initially on the ROM or hard disk will typically 
be downloaded to the RAM during operation of the com- 
puter and accessed during operations directly from the 
RAM. The computer 600'. ie.. the computer which serves as 

„ the security server 120. could if desired include the Yaksha 
database 130 stored preferably on its hard disk 

Referring now to FIGS. 6 and 7. the computer 600 
includes a main unit 610 with slots 611, 612 and 613, 
respectively provided for loading programming or data from 

3S a floppy disc 726a, CD 728a and smart card 729a onto the 
computer 600. The computer 600 also includes a keyboard 
630 and mouse 640 which serve as user input devices. A 
monitor display 620 is also provided to visually communi- 
cate information to the user. 

w As depicted in FIG. 7, The computer 600 has a main 
processor 700 which is interconnected via bus 710 with 
various storage devices including RAM 720, ROM 722 and 
hard disk 724a, all of which serve as a storage medium on 
which computer programming or data can be stored and 

45 accessed by the processor 700, The main processor 700 is 
also interconnected via bus 710 with various other devices 
such as the floppy disc drive 726, the CD drive 728 and the 
card reader 729 which are capable of being controlled by 
drive controller 750 to read computer programming or data 

50 stored on a floppy disc 726a. CD 728a or smart card 729c 
when inserted into the appropriate slot 611 . 612 or 613 in the 
unit 610. By accessing the stored computer programming 
the processor 700 is driven to operate in accordance with the 
present invention. 

55 The processor 700 is also operatively connected to the 
keyboard 630 and/or mouse 640, via input interface 730. The 
display monitor 620 is also interconnected to the processor 
700. via display interface 740, to facilitate the display of 
information to the user. The network interface 760 is pro- 

60 vided to interconnect the processor 700 to the network 60 
depicted In FIG. 2 and accordingly allow communications 
between the computer 600 and other network devices. Since 
the computer 600 serves as the client station 110 or 140. the 
network interface allows communications between client 
65 stations 110 and 140 and with network servers 120 and 150. 
The inter-operation of the various components of the 
computers depicted in FIGS. 6-11 in implementing the steps 
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described above with reference to FIGS. 3-5 will now be operate in a similar manner to that described above in 
described. Referring first to FIGS. 6 and 7. in order for the requesting a symmetric crypto-key to be used to store 
first user to request a session key for a session with the encrypted data as described in steps 300-310 of FIG. 4. The 
second user from the security server 120. the user enters a security server shown in FIGS. 8 and 9 will likewise operate 
command using the keyboard 630 or the mouse 640. rcspon- 5 in the similar manner to that described above in decrypting 
sive to which the computer programming stored, for the request and generating a symmetric crypto-key to be 
example, initially on ROM 722 and downloaded to RAM used for file storage as described in steps 320-330. 
720 during operation of the system, drives the processor 700 The processor 700" will next be driven by its program- 
to encrypt the session key request with the first portion of the ming instructions to retrieve the second portion of the file 
first user* s private key which may be either retrieved from to server private key from the hard disk 724a* and to apply this 
storage on. for example, hard disk 724a, or entered on the key portion to encrypt the generated symmetric crypto-key 
keyboard by the us a. as described in step 200 of FIG. 3. as described in step 340. The processor 700' then drives the 
The processor, in accordance with the stored program- network interface 760* to transmit the encrypted crypto-key 
ming instructions, drives the network interface 760 to trans- to client station 110 via network 60 as described in step 350. 
mil the encrypted request for a session key to the security 15 Returning to FIGS. 6 and 7. the encrypted crypto-key is 
server 120 as described in step 210 above. This step may be received by the processor 700 via network interface 760. 
performed automatically or may require a prompting from Data [ 5 retrieved from storage on, for example, RAM 720 io 
the user via the keyboard 630 or mouse 640. An indication accordance with instructions entered by the user via key- 
that the request has been transmitted may be displayed on board 630 or mouse 640 and transmitted along with the 
the display 620. 20 encrypted crypto-key by the network interface 760 to the file 

Referring now to FIGS. 8 and 9. the encrypted request is server 150 as discussed in step 360. 
received by the processor 700' via the network interface Referring now to FIGS. 10 and 11, the processor 700" 
760'. In accordance with programmed instructions initially receives the data and encrypted crypto-key via network 
stored on ROM 722" and downloaded to RAM 720' during interface 7*0". The processor 700" is driven by its stored 
system operation. The processor is driven to retrieve the programmed instructions to retrieve the first pardon of the 
second portion of the first user's private key and the first file server's private key from storage on. for example, hard 
user's public key from the hard disk 724a' which serves as disk 724a" and apply this key portion to decrypt the 
the Yaksha database 130 of FIG. 2. and to apply the retrieved encrypted crypto-key as described in step 370. The proces- 
keys as described in step 220 to decrypt the encrypted sor 700" is then driven to encrypt the data with the sym- 
rcquest metric crypto-key and store the data and encrypted cryp to- 
Responsive to the request, the processor 700 is driven to key on hard disk 724a" as described in steps 380-390. 
generate a session key as described in step 230 and to Referring again to FIGS. 6 and 7. the computer 600 will 
encrypt the generated session key with the second portion of operate in a manner similar to that described above in 
the first user's private bey and the first user's public key as 3$ encrypting and tra n s mitt i ng a data request to the security 
discussed above with reference to step 240. In accordance server 120 as described in steps 500-510. Similarly, the 
with its programmed instructions, the processor 700* also computer 600* will operate as previously described in 
retrieves, from the hard disk 724a\ the second user's public decrypting the encrypted request as discussed in step 520. 
key and applies this key to separately encrypt die session key The processor 700' will then retrieve the second portion of 
as described in step 250. The processor 700' now drives the w the first user's private key from the hard disk 720a'. As 
network interface 76f to transmit the first and second described in step 530. the processor 700\ driven by its 
encrypted session keys to dient station 110 via the network programming instructions, is driven to encrypt the data 
60 as discussed in step 260. request with the retrieved key portion. The processor 700* 
Referring again to FIGS. 6 and 7, the first and second then drives the network interface 760* to transmit the 
encrypted session keys are received by the processor 700 via „ encrypted data request to the dient station 110 as indicated 
the network interface 760. The first encrypted session key is in step 540. 

decrypted by processor 700 in accordance with its pro- Referring to FIGS. 6 and 7, the processor 700 receives the 
grammcd instructions as described in step 270. The proces- encrypted data request via the network interface 760. The 
sor 700 is next driven to encrypt a communication from the processor 700, in accordance with its programmed 
first user, which has been entered via the keyboard 630 and x instructions, applies the first portion of the first user's private 
displayed on the display 620. with the session key as key to the encrypted data request received from the security 
discussed in step 280. The processor 700 now drives the server 120 to further encrypt the data request as disclosed in 
network interface 760 to transmit the encrypted message and step 550. The further encrypted data request is then trans- 
second encrypted session key to the client station 140 mltted by network interface 760. in accordance with signals 
processor as indicated in step 285, The client station 140 55 from the processor 700, via network interface to the file 
processor is now driven by its stored programming instruc- server 150, as described in step 560. 
tions to decrypt the second encrypted session key and to then Referring now to FIGS. 10 and 11. the processor 700" 
apply the session key to decrypt the encrypted cornmunica- receives the fully encrypted data request via network tnter- 
tioa from the first user as discussed in steps 290-295. The face 760". The processor 700", in accordance with its 
client station 140 processor is also driven to encrypt a reply so programmed instructions, retrieves the first user's public key 
message which is input via the station 140 keyboard by the from, for example, the hard disk 724a". and applies this key 
second user with the session key and to drive the network to decrypt the data request which has been received from the 
interface of client station 140 to transmit the encrypted reply first user, as discussed in step 570 above. In response to the 
to client station 110 via the network 60 as described in step request, the processor 700" is driven to retrieve the stored 
297. 65 encrypted crypto-key and encrypted data along with the 
Referring again to FIGS. 6 and 7, the computer 600 wilL second portion of the file sever' s private key from the hard 
in accordance with its stored programming instructions, disk 724a* as described in step 580. The processor 700". in 
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accordance with its programmed instructions, decrypts the 
encrypted crypto-key and then the encrypted data, as noted 
in steps 585-590. The processor 700" next drives the net- 
work interface 760" to transmit the data to the client stadon 
110 as indicated in step 595. 

As described above the present invention provides for 
exchanges of symmetric session crypto- keys between uses 
of virtual area networks, such as the INTERNET, who utilize 
different crypto-systems. The present invention additionally 
provides enhanced security for data stored on file servers 
and other storage devices directly or indirectly connected to 
such networks. 

It will also be recognized by those skilled in the art that 
while the invention has been described above in terms of 
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3. A method according to claim 2. further comprising the 
steps of obtaining the first retrieve file request by applying 
the second private key portion of the second user crypto-key 
to the first encrypted retrieve file request, and directing the 
data to the second user. 

4. A method according to claim 1. wherein said first user 
is a file server. 

5. A method according to daim 1. wherein each said key 
portion has a bit length and the bit length of each first private 
key portion is smaller than the bit length of the associated 
second private key portion. 

6. A method according to claim 1, wherein the bit length 
of each said first private key portion is between 56 and 72 



bits. 

--- 7. A method according to claim 1, wherein (i) each said 

preferred embodiments il is not limited thereto. Various is private key portion is comprised of a private exponent and 
features and aspects of the above described invention may modulus n which is a product of a plurality of oumbers 
be used individually or jointly. Further, although the inven- w ithin a set of large prime numbers, (ii) each said public key 
uon has been described in the conte xt of their use in a pomoa is comprised of a public exponent and the modulus 
particular environment, i.e.. the INTERNET, those skilled in N ^ ^ me m0 dul us n has a bit length and the bit length 
the art will recognize that the present invention can be 20 of C2cn ^ private key portion is no larger than fifteen 
i«„rf« n ii« .im'ijt^ in «nv ftnvimnment in which not all percent of the bit length of the modulus N but not less than 

56 bits. 

8. A system for securing stored files having a plurality of 
system users, each said user having an associated asymmet- 
25 ric crypto-key with a public key portion and a corresponding 
private key portion, each public key portion being accessible 
to the plurality of system users, each private key portion 
having a first private key portion known only to the asso- 
ciated user and a corresponding second private key portion 



beneficially utilized in any environment in which not all 
users have a split private key or which would benefit from 
enhance security of stored files and data. Accordingly, the 
claims set forth below should be construed in view of the full 
breath and spirit of the invention as disclosed herein. 
I claim: 

1. A method for securing stored files in a system having 
a plurality of system users, each said user having an asso- 
ciated asymmetric crypto-key with a public key portion and USCJ ^ a wucbpuuuuis *ocunu ^iv* 
a corresponding private key portion, each public key portion 30 j £nown ooiy to a security server, comprising: 
being accessible to the plurality of system users, each private c j . 
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key portion having a first private key portion known only to 
the associated user and a corresponding second private key 
portion known only to a security server, comprising the steps 
of: 

identifying data for storage; 

encrypting a symmetric crypto-key with the second pri- 
vate key portion of a first user crypto-key associated 
with a first user to form an encrypted key message; 

obtaining the symmetric crypto-key by applying the first 40 
private key portion of the first user crypto-key to 
decrypt the encrypted key message; 

encrypting said data with the svmmctric crypto-key to 
form an encrypted file; and 

storing (he encrypted file and said encrypted key message. 

2. A method according to claim 1. further comprising the 
steps of: 

encrypting a first retrieve file request with the first private 
key portion of a second user crypto-key associated with 
a second user to form a first encrypted retrieve file 
request; 

encrypting the first encrypted retrieve file request with the 
second private key portion of the second user crypto- 
key to form a second encrypted retrieve file request; 
and 

obtaining the first retrieve file request by applying the 
public key portion of the second user crypto-key to 
decrypt die second encrypted retrieve file request; 

retrieving the encrypted file and the encrypted key mes- 
sage from storage responsive to said retrieve file 
request; 

obtaining the symmetric crypto-key by applying the first 
private key portion of the first user crypto-key to 
decrypt the retrieved encrypted key message; and 

obtaining the data by applying the symmetric crypto-key 
to decrypt the retrieved encrypted file. 
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a security server configured to encrypt a symmetric 

crypto-key to form an encrypted key message; 
a file server, having an associated file server crypto-key, 
configured to encrypt data with the symmetric crypto- 
key to form an encrypted file; and 
storage media configured to store the encrypted file and 

said encrypted key message; 
wherein, (i) the security server is operable to encrypt the 
symmetric crypto-key with the second private key 
portion of the file server crypto-key to form the 
encrypted key message, and (ii) the file server is 
operable to obtain the symmetric crypto-key by apply- 
ing the first private key portion of the file server 
crypto-key to decrypt the encrypted key message. 

9. A system according to claim 8. further comprising: 

a user processor configured to encrypt a first retrieve file 
request with the first private key portion of a user 
crypto-key to form a first encrypted retrieve file 
request; 

wherein, the security server encrypts the first encrypted 
retrieve file request with the second private key portion 
of the user crypto-key to form a second encrypted 
retrieve file request, and 

wherein, the file server (i) obtains the first retrieve file 
request by applying the public key portion of the user 
crypto-key to decrypt the second encrypted retrieve file 
request (ii) directs the retrieval of the encrypted file 
and the encrypted key message from the storage media 
responsive to the retrieve file request, (ill) obtains the 
symmetric crypto-key by applying the first private key 
portion of the file server crypto-key to decrypt the 
retrieved encrypted key message, and (iv) obtains the 
data by applying (he symmetric crypto-key to decrypt 
the retrieved encrypted file. 

10. A system according to cM im 9. wherein said security 
server obtains the first retrieve file request by applying the 
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second private key portion of die user crypto- key to the first 
encrypted retrieve file request, and the file server directs the 
data to the user processor. 

11. A system according to claim 8. wherein each said key 
portion has a bit length and the bit length of each first private 5 
key portion is smaller thao the bit length of the associated 
second private key portion. 

12. A system according to claim 8. wherein the bit length 
of each said first private key portion is between 56 and 72 
bits. w 

13. A system according to claim 8. wherein (i) each said 
private key portion is comprised of a private exponent and 
modulus N which is a product of a plurality of numbers 
within a set of large prime numbers, <ii) each said public key 
portion is comprised of a public exponent and the modulus is 
N and (iii) the modulus N has a bit length and the bit length 

of each said private key portion is no larger than fifteen 
percent of the bit length of the modulus N but not less than 
56 bits. 

14. An article of manufacture for securing stored files in 20 
a system having a plurality of system users, each said user 
having an associated asymmetric crypto- key with a public 
key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 
users, each private key portion having a first private key 25 
portion known only to the associated user and a correspond- 
ing second private key portion known only to a security 
server, comprising: 

computer readable storage medium; and 

computer programming stored on said storage medium; 30 

wherein said stored computer programming is configured 
to be readable from said computer readable storage 
medium by a computer and thereby cause said com* 
puter to operate so as to: 35 

decrypt a symmetric crypto- key encrypted with the sec- 
ond private key portion of a user crypto- key associated 
with a user of said computer by applying the first 
private key portion of the user crypto- key, to thereby 
obtain the symmetric crypto-key; 40 

encrypt data with the symmetric crypto-key to form an 
encrypted file; and 

store the encrypted file and the encrypted symmetric 
crypto-key. 

15. An article of manufacture according to claim 14. 45 
wherein said stored computer programming is configured to 
be readable from said computer readable storage medium by 
the computer to thereby cause said computer to operate so as 

to: 

decrypt a retrieve file request encrypted with the first and 
the second private key portion of a second user crypto- 
key by applying the public key portion of said second 
user crypto-key to obtain the retrieve file request: 

retrieve the encrypted file and the encrypted symmetric 5J 
crypto-key from storage responsive to said retrieve file 
request; 

decrypt the retrieved encrypted symmetric crypto-key by 
applying the first private key portion of the user crypto- 
key to obtain the symmetric crypto-key; and 60 

decrypt the retrieved encrypted file by applying the sym- 
metric crypto-key to obtain the data. 

16. An article of manufacture according to claim 15, 
wherein said stored computer programming is configured to 
be readable from said computer readable storage medium by 65 
the computer to thereby cause said computer to operate so as 

to direct the data to the second user. 



17. A programmed computer for securing stored files in a 
system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 
users, each private key portion having a first private key 
portion known only to the associated user and a correspond- 
ing second private key portion known only to a security 
server, comprising: 

a processor for decrypting a symmetric crypto-key 
encrypted with the second private key portion of a user 
crypto-key by applying the first private key portion of 
the user crypto-key, to thereby obtain the symmetric 
crypto-key, and encrypting data with the symmetric 
crypto-key to form an encrypted file; 

storage media for storing the encrypted file and the 
encrypted symmetric crypto-key. 

18. a programmed computer according to claim 17. 
wherein: 

the processor is adapted to decrypt a retrieve file request 
encrypted with the first and the second private key 
portion of a second user crypto-key by applying the 
public key portion of said second user crypto-key to 
obtain the retrieve file request, to retrieve the encrypted 
file and the encrypted symmetric crypto-key from the 
storage media, to decrypt the retrieved encrypted sym- 
metric crypto-key by applying the first private key 
portion of the user crypto-key to obtain the symmetric 
crypto-key, and to decrypt the retrieved encrypted file 
by applying the symmetric crypto-key to obtain the 
data; 

the storage media is adapted to store the first private key 
portion of the user crypto-key. 

19. A method for session key distribution in a system 
having a plurality of system users, each said user having an 
associated asymmetric crypto-key with a public key portion 
and a corresponding private key portion, each public key 
portion being accessible to the plurality of system users, the 
private key portion of a first user having a first private key 
portion known only to the first user and a corresponding 
second private key portion known only to a security server 
and the private key portion of a second user known only to 
the second user, comprising the steps of: 

encrypting a symmetric session key request with the first 
private key portion of the first user crypto-key lo form 
a first encrypted message; 
decrypting the first encrypted message by applying the 
second private key portion of the first user crypto-key 
to thereby obtain the session key request; 
encrypting a symmetric session crypto-key with the sec- 
ond private key portion of the first user crypto-key to 
form a first encrypted key message; 
encrypting the symmetric session crypto-key with the 
public key portion of the second user crypto-key to 
form a second encrypted key message; 
decrypting the first encrypted key message by applying 
the first private key portion of the first user crypto-key 
to obtain me symmetric session crypto-key for the first 
user; 

decrypting the second encrypted key message by applying 
the private key portion of the second user crypto-key to 
obtain the symmetric session crypto-key for the second 
user, 

encrypting and decrypting communications between said 
first user and said second user with the symmetric 
crypto-key. 
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20. A method according to claim 19. wherein said (i) each 
said private key portion is comprised of a private exponent 
and modulus N which is a product of a plurality of numbers 
within a set of large prime numbers, (ii) each said public key 
portion is comprised of a public exponent and the modulus 
N and (iii) the modulus N has a bit length and the bit length 
of each said private key portion is no larger than fifteen 
percent of the bit length of the modulus N but not less than 
56 bits. 

21. A system for session key distribution having a plu- 
rality of system users, each said user having an associated 
asymmetric crypto-key with a public key portion and a 
corresponding private key portion, each public key portion 
being accessible to the plurality of system users, the private 
key portion of a first user having a first private key portion 15 
known only to the first user and a corresponding second 
private key portion known only to a security server and the 
private key portion of a second user known only to the 
second user, comprising: 

a security server configured to encrypt a symmetric ses- 
sion crypto- key with the second private key portion of 
the first user crypto-key to form a first encrypted key 
message and to encrypt the symmetric session crypto- 
key with the public key portion of the second user 
crypto-key to form a second encrypted key message, 
and having an associated storage medium for storing 
the second private key portion of the first user crypto- 
key and the public key portion of the second user 
crypto-key; 

a first user processor configured to decrypt the first 
encrypted key message by applying the first private key 
portion of the first user crypto-key to obtain the sym- 
metric crypto-key. and to encrypt communications to 
and decrypt communications from the second user with 
the symmetric crypto-key ; 

a second user processor configured to decrypt the second 
encrypted key message by applying the private key 
portion of the second user crypto-key to obtain the 
symmetric crypto-key, and to encrypt communications ^ 
to and decrypt communications from the first user with 
the symmetric crypto-key. 

22. A system according to claim 21, wherein (i) each said 
private key portion is comprised of a private exponent and 
modulus N which is a product of a plurality of numbers 
within a set of large prime numbers, (il) each said public key 
portion is comprised of a public exponent and the modulus 
N and (iii) the modulus N has a bit length and the bit length 
of each said private key portion Is no larger than fifteen 
percent of the bit length of the modulus N but not less than 
56 bits. 

23. An article of manufacture for session key distribution 
in a system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 
users, the private key portion of a first user having a first 
private key portion known only to the first user and a 
corresponding second private key portion known only to a 
security server and the private key portion of a second user 
known only to the second user, comprising: 



computer readable storage medium; and 
computer programming stored on said storage med ium; 
wherein said stored computer programming is configured 
to be readable from said computer readable storage 
medium by a computer and thereby cause said com- 
puter to operate so as to: 
decrypt a first message encrypted with the first private key 
portion of the first user crypto-key by applying the 
second private key portion of the first user crypto-key 
to thereby obtain a session key request; 
encrypt a symmetric crypto-key with the second private 
key portion of the first user crypto-key to form a first 
encrypted key message; and 
encrypt the symmetric crypto-key with the public key 
portion of the second user crypto-key to form a second 
encrypted key message; 
wherein, the symmetric crypto-key is obtainable by the 
first user by applying the first private key portion of the 
first user crypto-key to the first encrypted key message 
and by the second user by applying the private key 
portion of the second user crypto-key to the second 
encrypted key message so that the symmetric crypto- 
key is available to encrypt and decrypt communications 
between said first and said second users. 
24. A programmed computer far session key distribution 
in a system having a plurality of system users, each said user 
having an associated asymmetric crypto-key with a public 
30 key portion and a corresponding private key portion, each 
public key portion being accessible to the plurality of system 
users, the private key portion of a first user having a first 
private key portion known only to the first user and a 
corresponding second private key portion known only to a 
35 security server and the private key portion of a second user 
known only to the second user, comprising: 
a processor for decrypting a first message encrypted with 
the first private key portion of the first user crypto-key 
by applying the second private key portion of the first 
user crypto-key to thereby obtain a session key request, 
for generating a symmetric crypto-key, for encrypting 
the symmetric crypto-key with the second private key 
portion of the first user crypto-key to form a first 
encrypted key message, and for encrypting the sym- 
metric crypto-key with the public key portion of me 
second user crypto-key to form a second encrypted key 
message; and 

storage media for storing the second private key portion 
of the first user crypto-key and the public key portion 
of the second user crypto-key. wherein, the symmetric 
crypto-key is obtainable by the first user by applying 
the first private key portion of the first user crypto-key 
to the first encrypted key message and by the second 
user by applying the private key portion of the second 
user crypto-key to the second encrypted key message 
so that the symmetric crypto-key is available to encrypt 
and decrypt communications between said first and said 
second users. 
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